Friday, May 23, 2014

Administrators failed to read the security log of Event Viewer on Windows Server 2008 R2 and later

Symptom

When administrators click the Security log of Event Viewer, it shows the following error message.

Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied (5)

Cause

"NT Service\Eventlog" account is removed on permissions of "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security".

Resolution

By default, "NT Service\Eventlog" is granted "Allow - Read" permission on Windows Server 2008 R2 and later operating systems. This account is removed because administrators might follow the Windows Security Hardening Guide before Windows Server 2008 R2 to configure the permissions of Security event logs. To solve this issue, administrators can do the following steps.